JAKARTA - A package of sophisticated hacking tools that were previously suspected of being used by government agencies to infiltrate iPhones has now been identified as being in the hands of cybercriminals. This finding raises new concerns about how state-of-the-art digital exploits can leak and turn into commodities on the black market.
Security researchers from Google revealed that they first detected a toolkit called Coruna in February 2025. At that time, the exploit package was used by surveillance vendors to try to infiltrate target phones on behalf of government clients.
Months later, the same toolkit was found in a large-scale campaign targeting users in Ukraine by a Russian espionage group. Not stopping there, Coruna was also detected being used by financially motivated hackers in China.
It is not yet clear how the tool leaked or spread. However, Google researchers warned of the emergence of a new market for "used" exploits that are resold to hackers who want to maximize profits from security gaps. This phenomenon shows a dangerous cycle: tools designed for state intelligence operations can end up in the hands of uncontrollable non-state actors.
Mobile security company iVerify obtained and dissected the toolkit. In its analysis, iVerify attributed Coruna to the United States government, based on similarities to hacking tools previously attributed to the US.
"The more widespread use of tools like this, the greater the likelihood of leaks," wrote iVerify. "Although we have a number of evidence that this is a leaked US government framework, it should not obscure the fact that these tools will eventually circulate outside and be used irresponsibly by malicious actors."
According to Google, Coruna is very powerful. This toolkit can penetrate the iPhone's defenses simply by making the victim visit a malicious website containing the exploit code, for example through a trap link in what is known as a watering hole attack. In this scenario, the victim does not need to download any application; just open the web page that has been equipped with malicious code.
Google says Coruna is able to hack iPhones through five different paths by combining 23 vulnerabilities at once in a single attack chain. Affected devices include iPhones with iOS 13 to iOS 17.2.1, the version released in December 2023. This means that devices with old operating systems are easy targets if they have not been updated.
The initial report on Coruna was first revealed by Wired. The toolkit is said to have components previously used in a hacking campaign called Operation Triangulation. In 2023, Russian cybersecurity company Kaspersky claimed that the US government tried to hack a number of iPhones belonging to its employees.
This case is reminiscent of the 2017 incident when the National Security Agency's hacking tool was leaked. The Windows backdoor called EternalBlue was then published and used in various major cyber attacks, including the WannaCry ransomware linked to North Korea. From the intelligence laboratory to the hands of global criminals, its journey is almost like a movie plot, only the impact is real and expensive.
Recently, the case of Peter Williams, former head of the US defense contractor L3Harris Trenchant, was revealed, who was sentenced to more than seven years in prison after pleading guilty to stealing and selling eight exploits to brokers known to work with the Russian government.
Prosecutors said the exploit was able to hack "millions of computers and devices" around the world. At least one exploit was sold to a South Korean broker, and it is unclear whether the vulnerability was ever reported or patched by the software maker.
Coruna's findings reveal the dark side of the global cyber economy: exploits are not just technical tools, but high-value assets that can change hands. In this ecosystem, leaks are not just a possibility, but a structural risk. When software becomes a battlefield, every operating system update is not just about new features, but also about survival in an increasingly wild digital landscape
The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)
